Platforms like GitHub (github.com) and GitLab (about.gitlab.com) enable seamless, dynamic collaboration between large and geographically-diverse development teams to build software applications more efficiently than in the past. And, due to the flexibility, re-usability, and cost of open source and/or third-party software modules and libraries, developers now frequently incorporate such software into their applications, either directly or as application dependencies—and many of these modules and libraries are publicly available for download and use without restriction.
However, an inherent risk in using open source or third-party software is the potential existence of vulnerabilities in the code that could significantly compromise the security and integrity of the overall software application. Often, the origination of the third-party software can be challenging to determine. In addition, any potential or actual vulnerabilities may not immediately apparent, going undetected for weeks or months after the related source code has been integrated into a production software application build. Inclusion of these vulnerabilities in a live application could result in malicious actors gaining unauthorized access to backend systems, performing unauthorized functions or transactions, or otherwise negatively impacting the stability and/or security of the software application itself or other enterprise computing systems that the application utilizes or with which the application communicates. Therefore, it is important for software application developers to understand whether any vulnerabilities exist in the open source or third-party modules used by the application to eliminate or minimize the risk of releasing an application that is vulnerable.
Another consideration that developers face is whether the code, libraries, or functions associated with identified vulnerabilities are actually called by the software application during execution, and if so, which application modules rely on or execute the vulnerabilities. Generally, in complex software applications, it can be difficult to track all of the particular invocations of certain application dependencies (such as packages, classes, methods and the like)—particularly when considering the wide variety of use cases that may be applied to the software application during typical use and the number of developers that may write code for the application. It can be a waste of time and resources to allow developers to integrate open source or third-party software into an application build, only to realize after the fact that the integrated software includes show-stopping vulnerabilities.